# elasticsearch.yml.j2
cluster.name: {{ es_cluster_name }}
node.name: {{ ansible_host }}
node.roles: [{{ es_node_roles }}]

path.data: {{ es_data_dir }}
path.logs: {{ es_log_dir }}

network.host: {{ es_network_host }}
http.port: {{ es_http_port }}
transport.port: {{ es_transport_port }}

discovery.seed_hosts: [{{ es_discovery_seed_hosts }}]
cluster.initial_master_nodes: [{{ es_initial_master_nodes }}]

bootstrap.memory_lock: true

# Security settings
xpack.security.enabled: true
xpack.security.enrollment.enabled: true

# TLS/SSL settings
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: {{ es_certs_dir }}/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: {{ es_certs_dir }}/elastic-certificates.p12

# Enable HTTPS
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: {{ es_certs_dir }}/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: {{ es_certs_dir }}/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional

# Allow HTTP API access from anywhere
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-credentials: true